On one of Solaris 10 server, apache service is running. Due to audit requirement, its error_log grows bigger and we are required to keep that. Sometimes it grows more than 200GB and fills up file-system.
Purpose is, if error_log touches 10GB, apache service should stop, error_log should move to error_log_xxxxxx and spache service start.
Application team wants to use a script, which looks straightforward. Below is part of that script

error_log is owned by root, so application user (which will run that script via his cron) will not be able to mv that file. If I can give 'sudo mv' to his id with absolute path, this should serve the purpose, I think.
But I am not able to figure out, what should be syntax in /etc/sudoers for mv command mentioned in above script.
Help please.

You can also run your script from the root users crontab and the problem is solved, and you can get rid of the sudo.

sudo is really overused, especially in situations where it is not necessary.

I have many similar scripts running that are executed by a crontab owned by root. It makes little sense to me to take these kinds of scripts and run them as a non-privileged user only to then sudo to get them to work. This just added extra complexity to the management of the system, in my view, for these kinds of log rotation scripts.

Managing servers for over 40 years, I try to keep things simple. To me, simplicity is elegance.

In addition, I normally never have enough time to do all the things I need to do with IT systems, so I like things simple, self-documenting, and easy to understand so when I go back and have to revisit things months later, it's easy to understand and make changes. In coding and sys admin, I like self-documenting and descriptive, not cryptic or pedantic.

Naturally, you will need to make sure any scripts that are run from the root user cron are only writeable, executable and perhaps only readable by root. The requirement would be similar if you set it up for sudo, but it's similar to just run it from the root crontab.

sudo mostly give you logging when "people" sudo to execute a privileged command, but since you know that root needs to execute this process in cron, you really don't need sudo for this.

Don't let sudo become a "religion" for your system admin work (as some on the net would want to to "believe")

If you have a suitable Operating System, which would be very useful to know, have you considered using logrotate for this? You can write a stanza that tells the process what to do and it can be based on size or various other things.

You could schedule this against your own configuration file more frequently than the default 'once overnight' that probably already runs to manage things in /var/log

Would that be a way forward? You can probably re-use a stanza from /etc/logrotate.conf to get you started.

10 More Discussions You Might Find Interesting

1. Solaris

In the sudoers file in Solaris...
I am trying to limit the DEVELOPER user privileges to where those users can only use the “rm” command in certain directories. This is to prevent them from deleting directories or files and destroying a server. I want them to be able to use the "rm" command but... (1 Reply)

Discussion started by: ggayathri

4. UNIX for Dummies Questions & Answers

Hi,
I was asked to create sudoers file for operation team so they can sudo as another user and run few commands.
I have updated /etc/sudoers file.
User_Alias LEVEL1 = JamesF, dennisW, juanC, steveS,
Cmnd_Alias SU_PROD=/bin/su prod, /bin/su - prod
Cmnd_Alias SU_NYOP=/bin/su... (2 Replies)

Discussion started by: samnyc

2 Replies

5. Cybersecurity

Hi all,
I'm trying to setup my sudoer file at work to have the right security, but I'm not able to refine to the level I want.
Here's what I would like to have:
=> OS Users
- John (group staff)
- Bob (group staff)
- app20adm (group app20grp)
- app70adm (group app70grp)
- sys20adm... (0 Replies)

Discussion started by: sunilamarnadh

7. UNIX for Advanced & Expert Users

i have defined a rule in the sudoers file so a specific user is able to run some commands as sudo with no password.
my question is: is it possible to restrict a user to run commands as sudo only in a certain directory? for example: chown only the files that are located in /var/tmp.
Thank you.
... (2 Replies)

Discussion started by: noam128

2 Replies

8. UNIX for Advanced & Expert Users

I'm stuck with a dilemma. I am trying to control userid's access to the su command in such a way that he will not be able to su to root (su, su -, su root, su - root) but he will be able to su to any other user. I have tried the following syntax:
userid ALL=/usr/bin/su ?*, !/usr/bin/su *root*... (2 Replies)

Discussion started by: chuckuykendall

2 Replies

9. Solaris

root@dervish # cat /etc/sudoers
cat: cannot open /etc/sudoers
This is what I get when I try to search for the sudoers files. I want to create a user by name jda and assign him root privileges. How can I do that using sudo command and editing sudoers file.
Please help me. (12 Replies)

Discussion started by: bharu_sri

12 Replies

10. Linux

Hi,
I have edited 'sudoers' file to allow 'cads' user shutdown the system without providing a password.
Can someone tell me what's wrong with my file?
It's not working when I 'sudo SHUTDOWN' command:
sudo: SHUTDOWN: command not found
Thanks a lot!
# Host alias specification... (4 Replies)